001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.security; 019 020import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_USER_GROUP_METRICS_PERCENTILES_INTERVALS; 021import static org.apache.hadoop.util.PlatformName.IBM_JAVA; 022 023import java.io.File; 024import java.io.IOException; 025import java.lang.reflect.UndeclaredThrowableException; 026import java.security.AccessControlContext; 027import java.security.AccessController; 028import java.security.Principal; 029import java.security.PrivilegedAction; 030import java.security.PrivilegedActionException; 031import java.security.PrivilegedExceptionAction; 032import java.util.ArrayList; 033import java.util.Arrays; 034import java.util.Collection; 035import java.util.Collections; 036import java.util.HashMap; 037import java.util.Iterator; 038import java.util.LinkedHashSet; 039import java.util.List; 040import java.util.Map; 041import java.util.Set; 042 043import javax.security.auth.Subject; 044import javax.security.auth.callback.CallbackHandler; 045import javax.security.auth.kerberos.KerberosPrincipal; 046import javax.security.auth.kerberos.KerberosTicket; 047import javax.security.auth.kerberos.KeyTab; 048import javax.security.auth.login.AppConfigurationEntry; 049import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag; 050import javax.security.auth.login.LoginContext; 051import javax.security.auth.login.LoginException; 052import javax.security.auth.spi.LoginModule; 053 054import org.apache.commons.logging.Log; 055import org.apache.commons.logging.LogFactory; 056import org.apache.hadoop.classification.InterfaceAudience; 057import org.apache.hadoop.classification.InterfaceStability; 058import org.apache.hadoop.conf.Configuration; 059import org.apache.hadoop.io.Text; 060import org.apache.hadoop.metrics2.annotation.Metric; 061import org.apache.hadoop.metrics2.annotation.Metrics; 062import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem; 063import org.apache.hadoop.metrics2.lib.MetricsRegistry; 064import org.apache.hadoop.metrics2.lib.MutableQuantiles; 065import org.apache.hadoop.metrics2.lib.MutableRate; 066import org.apache.hadoop.security.SaslRpcServer.AuthMethod; 067import org.apache.hadoop.security.authentication.util.KerberosUtil; 068import org.apache.hadoop.security.token.Token; 069import org.apache.hadoop.security.token.TokenIdentifier; 070import org.apache.hadoop.util.Shell; 071import org.apache.hadoop.util.Time; 072 073import com.google.common.annotations.VisibleForTesting; 074 075/** 076 * User and group information for Hadoop. 077 * This class wraps around a JAAS Subject and provides methods to determine the 078 * user's username and groups. It supports both the Windows, Unix and Kerberos 079 * login modules. 080 */ 081@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce", "HBase", "Hive", "Oozie"}) 082@InterfaceStability.Evolving 083public class UserGroupInformation { 084 private static final Log LOG = LogFactory.getLog(UserGroupInformation.class); 085 /** 086 * Percentage of the ticket window to use before we renew ticket. 087 */ 088 private static final float TICKET_RENEW_WINDOW = 0.80f; 089 private static boolean shouldRenewImmediatelyForTests = false; 090 static final String HADOOP_USER_NAME = "HADOOP_USER_NAME"; 091 static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER"; 092 093 /** 094 * For the purposes of unit tests, we want to test login 095 * from keytab and don't want to wait until the renew 096 * window (controlled by TICKET_RENEW_WINDOW). 097 * @param immediate true if we should login without waiting for ticket window 098 */ 099 @VisibleForTesting 100 static void setShouldRenewImmediatelyForTests(boolean immediate) { 101 shouldRenewImmediatelyForTests = immediate; 102 } 103 104 /** 105 * UgiMetrics maintains UGI activity statistics 106 * and publishes them through the metrics interfaces. 107 */ 108 @Metrics(about="User and group related metrics", context="ugi") 109 static class UgiMetrics { 110 final MetricsRegistry registry = new MetricsRegistry("UgiMetrics"); 111 112 @Metric("Rate of successful kerberos logins and latency (milliseconds)") 113 MutableRate loginSuccess; 114 @Metric("Rate of failed kerberos logins and latency (milliseconds)") 115 MutableRate loginFailure; 116 @Metric("GetGroups") MutableRate getGroups; 117 MutableQuantiles[] getGroupsQuantiles; 118 119 static UgiMetrics create() { 120 return DefaultMetricsSystem.instance().register(new UgiMetrics()); 121 } 122 123 void addGetGroups(long latency) { 124 getGroups.add(latency); 125 if (getGroupsQuantiles != null) { 126 for (MutableQuantiles q : getGroupsQuantiles) { 127 q.add(latency); 128 } 129 } 130 } 131 } 132 133 /** 134 * A login module that looks at the Kerberos, Unix, or Windows principal and 135 * adds the corresponding UserName. 136 */ 137 @InterfaceAudience.Private 138 public static class HadoopLoginModule implements LoginModule { 139 private Subject subject; 140 141 @Override 142 public boolean abort() throws LoginException { 143 return true; 144 } 145 146 private <T extends Principal> T getCanonicalUser(Class<T> cls) { 147 for(T user: subject.getPrincipals(cls)) { 148 return user; 149 } 150 return null; 151 } 152 153 @Override 154 public boolean commit() throws LoginException { 155 if (LOG.isDebugEnabled()) { 156 LOG.debug("hadoop login commit"); 157 } 158 // if we already have a user, we are done. 159 if (!subject.getPrincipals(User.class).isEmpty()) { 160 if (LOG.isDebugEnabled()) { 161 LOG.debug("using existing subject:"+subject.getPrincipals()); 162 } 163 return true; 164 } 165 Principal user = null; 166 // if we are using kerberos, try it out 167 if (isAuthenticationMethodEnabled(AuthenticationMethod.KERBEROS)) { 168 user = getCanonicalUser(KerberosPrincipal.class); 169 if (LOG.isDebugEnabled()) { 170 LOG.debug("using kerberos user:"+user); 171 } 172 } 173 //If we don't have a kerberos user and security is disabled, check 174 //if user is specified in the environment or properties 175 if (!isSecurityEnabled() && (user == null)) { 176 String envUser = System.getenv(HADOOP_USER_NAME); 177 if (envUser == null) { 178 envUser = System.getProperty(HADOOP_USER_NAME); 179 } 180 user = envUser == null ? null : new User(envUser); 181 } 182 // use the OS user 183 if (user == null) { 184 user = getCanonicalUser(OS_PRINCIPAL_CLASS); 185 if (LOG.isDebugEnabled()) { 186 LOG.debug("using local user:"+user); 187 } 188 } 189 // if we found the user, add our principal 190 if (user != null) { 191 if (LOG.isDebugEnabled()) { 192 LOG.debug("Using user: \"" + user + "\" with name " + user.getName()); 193 } 194 195 User userEntry = null; 196 try { 197 userEntry = new User(user.getName()); 198 } catch (Exception e) { 199 throw (LoginException)(new LoginException(e.toString()).initCause(e)); 200 } 201 if (LOG.isDebugEnabled()) { 202 LOG.debug("User entry: \"" + userEntry.toString() + "\"" ); 203 } 204 205 subject.getPrincipals().add(userEntry); 206 return true; 207 } 208 LOG.error("Can't find user in " + subject); 209 throw new LoginException("Can't find user name"); 210 } 211 212 @Override 213 public void initialize(Subject subject, CallbackHandler callbackHandler, 214 Map<String, ?> sharedState, Map<String, ?> options) { 215 this.subject = subject; 216 } 217 218 @Override 219 public boolean login() throws LoginException { 220 if (LOG.isDebugEnabled()) { 221 LOG.debug("hadoop login"); 222 } 223 return true; 224 } 225 226 @Override 227 public boolean logout() throws LoginException { 228 if (LOG.isDebugEnabled()) { 229 LOG.debug("hadoop logout"); 230 } 231 return true; 232 } 233 } 234 235 /** Metrics to track UGI activity */ 236 static UgiMetrics metrics = UgiMetrics.create(); 237 /** The auth method to use */ 238 private static AuthenticationMethod authenticationMethod; 239 /** Server-side groups fetching service */ 240 private static Groups groups; 241 /** The configuration to use */ 242 private static Configuration conf; 243 244 245 /** Leave 10 minutes between relogin attempts. */ 246 private static final long MIN_TIME_BEFORE_RELOGIN = 10 * 60 * 1000L; 247 248 /**Environment variable pointing to the token cache file*/ 249 public static final String HADOOP_TOKEN_FILE_LOCATION = 250 "HADOOP_TOKEN_FILE_LOCATION"; 251 252 /** 253 * A method to initialize the fields that depend on a configuration. 254 * Must be called before useKerberos or groups is used. 255 */ 256 private static void ensureInitialized() { 257 if (conf == null) { 258 synchronized(UserGroupInformation.class) { 259 if (conf == null) { // someone might have beat us 260 initialize(new Configuration(), false); 261 } 262 } 263 } 264 } 265 266 /** 267 * Initialize UGI and related classes. 268 * @param conf the configuration to use 269 */ 270 private static synchronized void initialize(Configuration conf, 271 boolean overrideNameRules) { 272 authenticationMethod = SecurityUtil.getAuthenticationMethod(conf); 273 if (overrideNameRules || !HadoopKerberosName.hasRulesBeenSet()) { 274 try { 275 HadoopKerberosName.setConfiguration(conf); 276 } catch (IOException ioe) { 277 throw new RuntimeException( 278 "Problem with Kerberos auth_to_local name configuration", ioe); 279 } 280 } 281 // If we haven't set up testing groups, use the configuration to find it 282 if (!(groups instanceof TestingGroups)) { 283 groups = Groups.getUserToGroupsMappingService(conf); 284 } 285 UserGroupInformation.conf = conf; 286 287 if (metrics.getGroupsQuantiles == null) { 288 int[] intervals = conf.getInts(HADOOP_USER_GROUP_METRICS_PERCENTILES_INTERVALS); 289 if (intervals != null && intervals.length > 0) { 290 final int length = intervals.length; 291 MutableQuantiles[] getGroupsQuantiles = new MutableQuantiles[length]; 292 for (int i = 0; i < length; i++) { 293 getGroupsQuantiles[i] = metrics.registry.newQuantiles( 294 "getGroups" + intervals[i] + "s", 295 "Get groups", "ops", "latency", intervals[i]); 296 } 297 metrics.getGroupsQuantiles = getGroupsQuantiles; 298 } 299 } 300 } 301 302 /** 303 * Set the static configuration for UGI. 304 * In particular, set the security authentication mechanism and the 305 * group look up service. 306 * @param conf the configuration to use 307 */ 308 @InterfaceAudience.Public 309 @InterfaceStability.Evolving 310 public static void setConfiguration(Configuration conf) { 311 initialize(conf, true); 312 } 313 314 @InterfaceAudience.Private 315 @VisibleForTesting 316 static void reset() { 317 authenticationMethod = null; 318 conf = null; 319 groups = null; 320 setLoginUser(null); 321 HadoopKerberosName.setRules(null); 322 } 323 324 /** 325 * Determine if UserGroupInformation is using Kerberos to determine 326 * user identities or is relying on simple authentication 327 * 328 * @return true if UGI is working in a secure environment 329 */ 330 public static boolean isSecurityEnabled() { 331 return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE); 332 } 333 334 @InterfaceAudience.Private 335 @InterfaceStability.Evolving 336 private static boolean isAuthenticationMethodEnabled(AuthenticationMethod method) { 337 ensureInitialized(); 338 return (authenticationMethod == method); 339 } 340 341 /** 342 * Information about the logged in user. 343 */ 344 private static UserGroupInformation loginUser = null; 345 private static String keytabPrincipal = null; 346 private static String keytabFile = null; 347 348 private final Subject subject; 349 // All non-static fields must be read-only caches that come from the subject. 350 private final User user; 351 private final boolean isKeytab; 352 private final boolean isKrbTkt; 353 354 private static String OS_LOGIN_MODULE_NAME; 355 private static Class<? extends Principal> OS_PRINCIPAL_CLASS; 356 357 private static final boolean windows = 358 System.getProperty("os.name").startsWith("Windows"); 359 private static final boolean is64Bit = 360 System.getProperty("os.arch").contains("64"); 361 private static final boolean aix = System.getProperty("os.name").equals("AIX"); 362 363 /* Return the OS login module class name */ 364 private static String getOSLoginModuleName() { 365 if (IBM_JAVA) { 366 if (windows) { 367 return is64Bit ? "com.ibm.security.auth.module.Win64LoginModule" 368 : "com.ibm.security.auth.module.NTLoginModule"; 369 } else if (aix) { 370 return is64Bit ? "com.ibm.security.auth.module.AIX64LoginModule" 371 : "com.ibm.security.auth.module.AIXLoginModule"; 372 } else { 373 return "com.ibm.security.auth.module.LinuxLoginModule"; 374 } 375 } else { 376 return windows ? "com.sun.security.auth.module.NTLoginModule" 377 : "com.sun.security.auth.module.UnixLoginModule"; 378 } 379 } 380 381 /* Return the OS principal class */ 382 @SuppressWarnings("unchecked") 383 private static Class<? extends Principal> getOsPrincipalClass() { 384 ClassLoader cl = ClassLoader.getSystemClassLoader(); 385 try { 386 String principalClass = null; 387 if (IBM_JAVA) { 388 if (is64Bit) { 389 principalClass = "com.ibm.security.auth.UsernamePrincipal"; 390 } else { 391 if (windows) { 392 principalClass = "com.ibm.security.auth.NTUserPrincipal"; 393 } else if (aix) { 394 principalClass = "com.ibm.security.auth.AIXPrincipal"; 395 } else { 396 principalClass = "com.ibm.security.auth.LinuxPrincipal"; 397 } 398 } 399 } else { 400 principalClass = windows ? "com.sun.security.auth.NTUserPrincipal" 401 : "com.sun.security.auth.UnixPrincipal"; 402 } 403 return (Class<? extends Principal>) cl.loadClass(principalClass); 404 } catch (ClassNotFoundException e) { 405 LOG.error("Unable to find JAAS classes:" + e.getMessage()); 406 } 407 return null; 408 } 409 static { 410 OS_LOGIN_MODULE_NAME = getOSLoginModuleName(); 411 OS_PRINCIPAL_CLASS = getOsPrincipalClass(); 412 } 413 414 private static class RealUser implements Principal { 415 private final UserGroupInformation realUser; 416 417 RealUser(UserGroupInformation realUser) { 418 this.realUser = realUser; 419 } 420 421 @Override 422 public String getName() { 423 return realUser.getUserName(); 424 } 425 426 public UserGroupInformation getRealUser() { 427 return realUser; 428 } 429 430 @Override 431 public boolean equals(Object o) { 432 if (this == o) { 433 return true; 434 } else if (o == null || getClass() != o.getClass()) { 435 return false; 436 } else { 437 return realUser.equals(((RealUser) o).realUser); 438 } 439 } 440 441 @Override 442 public int hashCode() { 443 return realUser.hashCode(); 444 } 445 446 @Override 447 public String toString() { 448 return realUser.toString(); 449 } 450 } 451 452 /** 453 * A JAAS configuration that defines the login modules that we want 454 * to use for login. 455 */ 456 private static class HadoopConfiguration 457 extends javax.security.auth.login.Configuration { 458 private static final String SIMPLE_CONFIG_NAME = "hadoop-simple"; 459 private static final String USER_KERBEROS_CONFIG_NAME = 460 "hadoop-user-kerberos"; 461 private static final String KEYTAB_KERBEROS_CONFIG_NAME = 462 "hadoop-keytab-kerberos"; 463 464 private static final Map<String, String> BASIC_JAAS_OPTIONS = 465 new HashMap<String,String>(); 466 static { 467 String jaasEnvVar = System.getenv("HADOOP_JAAS_DEBUG"); 468 if (jaasEnvVar != null && "true".equalsIgnoreCase(jaasEnvVar)) { 469 BASIC_JAAS_OPTIONS.put("debug", "true"); 470 } 471 } 472 473 private static final AppConfigurationEntry OS_SPECIFIC_LOGIN = 474 new AppConfigurationEntry(OS_LOGIN_MODULE_NAME, 475 LoginModuleControlFlag.REQUIRED, 476 BASIC_JAAS_OPTIONS); 477 private static final AppConfigurationEntry HADOOP_LOGIN = 478 new AppConfigurationEntry(HadoopLoginModule.class.getName(), 479 LoginModuleControlFlag.REQUIRED, 480 BASIC_JAAS_OPTIONS); 481 private static final Map<String,String> USER_KERBEROS_OPTIONS = 482 new HashMap<String,String>(); 483 static { 484 if (IBM_JAVA) { 485 USER_KERBEROS_OPTIONS.put("useDefaultCcache", "true"); 486 } else { 487 USER_KERBEROS_OPTIONS.put("doNotPrompt", "true"); 488 USER_KERBEROS_OPTIONS.put("useTicketCache", "true"); 489 } 490 String ticketCache = System.getenv("KRB5CCNAME"); 491 if (ticketCache != null) { 492 if (IBM_JAVA) { 493 // The first value searched when "useDefaultCcache" is used. 494 System.setProperty("KRB5CCNAME", ticketCache); 495 } else { 496 USER_KERBEROS_OPTIONS.put("ticketCache", ticketCache); 497 } 498 } 499 USER_KERBEROS_OPTIONS.put("renewTGT", "true"); 500 USER_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); 501 } 502 private static final AppConfigurationEntry USER_KERBEROS_LOGIN = 503 new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), 504 LoginModuleControlFlag.OPTIONAL, 505 USER_KERBEROS_OPTIONS); 506 private static final Map<String,String> KEYTAB_KERBEROS_OPTIONS = 507 new HashMap<String,String>(); 508 static { 509 if (IBM_JAVA) { 510 KEYTAB_KERBEROS_OPTIONS.put("credsType", "both"); 511 } else { 512 KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true"); 513 KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true"); 514 KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true"); 515 } 516 KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true"); 517 KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); 518 } 519 private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = 520 new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), 521 LoginModuleControlFlag.REQUIRED, 522 KEYTAB_KERBEROS_OPTIONS); 523 524 private static final AppConfigurationEntry[] SIMPLE_CONF = 525 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, HADOOP_LOGIN}; 526 527 private static final AppConfigurationEntry[] USER_KERBEROS_CONF = 528 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, USER_KERBEROS_LOGIN, 529 HADOOP_LOGIN}; 530 531 private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = 532 new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN}; 533 534 @Override 535 public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { 536 if (SIMPLE_CONFIG_NAME.equals(appName)) { 537 return SIMPLE_CONF; 538 } else if (USER_KERBEROS_CONFIG_NAME.equals(appName)) { 539 return USER_KERBEROS_CONF; 540 } else if (KEYTAB_KERBEROS_CONFIG_NAME.equals(appName)) { 541 if (IBM_JAVA) { 542 KEYTAB_KERBEROS_OPTIONS.put("useKeytab", 543 prependFileAuthority(keytabFile)); 544 } else { 545 KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); 546 } 547 KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); 548 return KEYTAB_KERBEROS_CONF; 549 } 550 return null; 551 } 552 } 553 554 private static String prependFileAuthority(String keytabPath) { 555 return keytabPath.startsWith("file://") ? keytabPath 556 : "file://" + keytabPath; 557 } 558 559 /** 560 * Represents a javax.security configuration that is created at runtime. 561 */ 562 private static class DynamicConfiguration 563 extends javax.security.auth.login.Configuration { 564 private AppConfigurationEntry[] ace; 565 566 DynamicConfiguration(AppConfigurationEntry[] ace) { 567 this.ace = ace; 568 } 569 570 @Override 571 public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { 572 return ace; 573 } 574 } 575 576 private static LoginContext 577 newLoginContext(String appName, Subject subject, 578 javax.security.auth.login.Configuration loginConf) 579 throws LoginException { 580 // Temporarily switch the thread's ContextClassLoader to match this 581 // class's classloader, so that we can properly load HadoopLoginModule 582 // from the JAAS libraries. 583 Thread t = Thread.currentThread(); 584 ClassLoader oldCCL = t.getContextClassLoader(); 585 t.setContextClassLoader(HadoopLoginModule.class.getClassLoader()); 586 try { 587 return new LoginContext(appName, subject, null, loginConf); 588 } finally { 589 t.setContextClassLoader(oldCCL); 590 } 591 } 592 593 private LoginContext getLogin() { 594 return user.getLogin(); 595 } 596 597 private void setLogin(LoginContext login) { 598 user.setLogin(login); 599 } 600 601 /** 602 * Create a UserGroupInformation for the given subject. 603 * This does not change the subject or acquire new credentials. 604 * @param subject the user's subject 605 */ 606 UserGroupInformation(Subject subject) { 607 this.subject = subject; 608 this.user = subject.getPrincipals(User.class).iterator().next(); 609 this.isKeytab = !subject.getPrivateCredentials(KeyTab.class).isEmpty(); 610 this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty(); 611 } 612 613 /** 614 * checks if logged in using kerberos 615 * @return true if the subject logged via keytab or has a Kerberos TGT 616 */ 617 public boolean hasKerberosCredentials() { 618 return isKeytab || isKrbTkt; 619 } 620 621 /** 622 * Return the current user, including any doAs in the current stack. 623 * @return the current user 624 * @throws IOException if login fails 625 */ 626 @InterfaceAudience.Public 627 @InterfaceStability.Evolving 628 public synchronized 629 static UserGroupInformation getCurrentUser() throws IOException { 630 AccessControlContext context = AccessController.getContext(); 631 Subject subject = Subject.getSubject(context); 632 if (subject == null || subject.getPrincipals(User.class).isEmpty()) { 633 return getLoginUser(); 634 } else { 635 return new UserGroupInformation(subject); 636 } 637 } 638 639 /** 640 * Find the most appropriate UserGroupInformation to use 641 * 642 * @param ticketCachePath The Kerberos ticket cache path, or NULL 643 * if none is specfied 644 * @param user The user name, or NULL if none is specified. 645 * 646 * @return The most appropriate UserGroupInformation 647 */ 648 public static UserGroupInformation getBestUGI( 649 String ticketCachePath, String user) throws IOException { 650 if (ticketCachePath != null) { 651 return getUGIFromTicketCache(ticketCachePath, user); 652 } else if (user == null) { 653 return getCurrentUser(); 654 } else { 655 return createRemoteUser(user); 656 } 657 } 658 659 /** 660 * Create a UserGroupInformation from a Kerberos ticket cache. 661 * 662 * @param user The principal name to load from the ticket 663 * cache 664 * @param ticketCachePath the path to the ticket cache file 665 * 666 * @throws IOException if the kerberos login fails 667 */ 668 @InterfaceAudience.Public 669 @InterfaceStability.Evolving 670 public static UserGroupInformation getUGIFromTicketCache( 671 String ticketCache, String user) throws IOException { 672 if (!isAuthenticationMethodEnabled(AuthenticationMethod.KERBEROS)) { 673 return getBestUGI(null, user); 674 } 675 try { 676 Map<String,String> krbOptions = new HashMap<String,String>(); 677 if (IBM_JAVA) { 678 krbOptions.put("useDefaultCcache", "true"); 679 // The first value searched when "useDefaultCcache" is used. 680 System.setProperty("KRB5CCNAME", ticketCache); 681 } else { 682 krbOptions.put("doNotPrompt", "true"); 683 krbOptions.put("useTicketCache", "true"); 684 krbOptions.put("useKeyTab", "false"); 685 krbOptions.put("ticketCache", ticketCache); 686 } 687 krbOptions.put("renewTGT", "false"); 688 krbOptions.putAll(HadoopConfiguration.BASIC_JAAS_OPTIONS); 689 AppConfigurationEntry ace = new AppConfigurationEntry( 690 KerberosUtil.getKrb5LoginModuleName(), 691 LoginModuleControlFlag.REQUIRED, 692 krbOptions); 693 DynamicConfiguration dynConf = 694 new DynamicConfiguration(new AppConfigurationEntry[]{ ace }); 695 LoginContext login = newLoginContext( 696 HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, null, dynConf); 697 login.login(); 698 699 Subject loginSubject = login.getSubject(); 700 Set<Principal> loginPrincipals = loginSubject.getPrincipals(); 701 if (loginPrincipals.isEmpty()) { 702 throw new RuntimeException("No login principals found!"); 703 } 704 if (loginPrincipals.size() != 1) { 705 LOG.warn("found more than one principal in the ticket cache file " + 706 ticketCache); 707 } 708 User ugiUser = new User(loginPrincipals.iterator().next().getName(), 709 AuthenticationMethod.KERBEROS, login); 710 loginSubject.getPrincipals().add(ugiUser); 711 UserGroupInformation ugi = new UserGroupInformation(loginSubject); 712 ugi.setLogin(login); 713 ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS); 714 return ugi; 715 } catch (LoginException le) { 716 throw new IOException("failure to login using ticket cache file " + 717 ticketCache, le); 718 } 719 } 720 721 /** 722 * Create a UserGroupInformation from a Subject with Kerberos principal. 723 * 724 * @param user The KerberosPrincipal to use in UGI 725 * 726 * @throws IOException if the kerberos login fails 727 */ 728 public static UserGroupInformation getUGIFromSubject(Subject subject) 729 throws IOException { 730 if (subject == null) { 731 throw new IOException("Subject must not be null"); 732 } 733 734 if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) { 735 throw new IOException("Provided Subject must contain a KerberosPrincipal"); 736 } 737 738 KerberosPrincipal principal = 739 subject.getPrincipals(KerberosPrincipal.class).iterator().next(); 740 741 User ugiUser = new User(principal.getName(), 742 AuthenticationMethod.KERBEROS, null); 743 subject.getPrincipals().add(ugiUser); 744 UserGroupInformation ugi = new UserGroupInformation(subject); 745 ugi.setLogin(null); 746 ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS); 747 return ugi; 748 } 749 750 /** 751 * Get the currently logged in user. 752 * @return the logged in user 753 * @throws IOException if login fails 754 */ 755 @InterfaceAudience.Public 756 @InterfaceStability.Evolving 757 public synchronized 758 static UserGroupInformation getLoginUser() throws IOException { 759 if (loginUser == null) { 760 loginUserFromSubject(null); 761 } 762 return loginUser; 763 } 764 765 /** 766 * remove the login method that is followed by a space from the username 767 * e.g. "jack (auth:SIMPLE)" -> "jack" 768 * 769 * @param userName 770 * @return userName without login method 771 */ 772 public static String trimLoginMethod(String userName) { 773 int spaceIndex = userName.indexOf(' '); 774 if (spaceIndex >= 0) { 775 userName = userName.substring(0, spaceIndex); 776 } 777 return userName; 778 } 779 780 /** 781 * Log in a user using the given subject 782 * @parma subject the subject to use when logging in a user, or null to 783 * create a new subject. 784 * @throws IOException if login fails 785 */ 786 @InterfaceAudience.Public 787 @InterfaceStability.Evolving 788 public synchronized 789 static void loginUserFromSubject(Subject subject) throws IOException { 790 ensureInitialized(); 791 try { 792 if (subject == null) { 793 subject = new Subject(); 794 } 795 LoginContext login = 796 newLoginContext(authenticationMethod.getLoginAppName(), 797 subject, new HadoopConfiguration()); 798 login.login(); 799 UserGroupInformation realUser = new UserGroupInformation(subject); 800 realUser.setLogin(login); 801 realUser.setAuthenticationMethod(authenticationMethod); 802 realUser = new UserGroupInformation(login.getSubject()); 803 // If the HADOOP_PROXY_USER environment variable or property 804 // is specified, create a proxy user as the logged in user. 805 String proxyUser = System.getenv(HADOOP_PROXY_USER); 806 if (proxyUser == null) { 807 proxyUser = System.getProperty(HADOOP_PROXY_USER); 808 } 809 loginUser = proxyUser == null ? realUser : createProxyUser(proxyUser, realUser); 810 811 String fileLocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION); 812 if (fileLocation != null) { 813 // Load the token storage file and put all of the tokens into the 814 // user. Don't use the FileSystem API for reading since it has a lock 815 // cycle (HADOOP-9212). 816 Credentials cred = Credentials.readTokenStorageFile( 817 new File(fileLocation), conf); 818 loginUser.addCredentials(cred); 819 } 820 loginUser.spawnAutoRenewalThreadForUserCreds(); 821 } catch (LoginException le) { 822 LOG.debug("failure to login", le); 823 throw new IOException("failure to login", le); 824 } 825 if (LOG.isDebugEnabled()) { 826 LOG.debug("UGI loginUser:"+loginUser); 827 } 828 } 829 830 @InterfaceAudience.Private 831 @InterfaceStability.Unstable 832 @VisibleForTesting 833 public synchronized static void setLoginUser(UserGroupInformation ugi) { 834 // if this is to become stable, should probably logout the currently 835 // logged in ugi if it's different 836 loginUser = ugi; 837 } 838 839 /** 840 * Is this user logged in from a keytab file? 841 * @return true if the credentials are from a keytab file. 842 */ 843 public boolean isFromKeytab() { 844 return isKeytab; 845 } 846 847 /** 848 * Get the Kerberos TGT 849 * @return the user's TGT or null if none was found 850 */ 851 private synchronized KerberosTicket getTGT() { 852 Set<KerberosTicket> tickets = subject 853 .getPrivateCredentials(KerberosTicket.class); 854 for (KerberosTicket ticket : tickets) { 855 if (SecurityUtil.isOriginalTGT(ticket)) { 856 if (LOG.isDebugEnabled()) { 857 LOG.debug("Found tgt " + ticket); 858 } 859 return ticket; 860 } 861 } 862 return null; 863 } 864 865 private long getRefreshTime(KerberosTicket tgt) { 866 long start = tgt.getStartTime().getTime(); 867 long end = tgt.getEndTime().getTime(); 868 return start + (long) ((end - start) * TICKET_RENEW_WINDOW); 869 } 870 871 /**Spawn a thread to do periodic renewals of kerberos credentials*/ 872 private void spawnAutoRenewalThreadForUserCreds() { 873 if (isSecurityEnabled()) { 874 //spawn thread only if we have kerb credentials 875 if (user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS && 876 !isKeytab) { 877 Thread t = new Thread(new Runnable() { 878 879 @Override 880 public void run() { 881 String cmd = conf.get("hadoop.kerberos.kinit.command", 882 "kinit"); 883 KerberosTicket tgt = getTGT(); 884 if (tgt == null) { 885 return; 886 } 887 long nextRefresh = getRefreshTime(tgt); 888 while (true) { 889 try { 890 long now = Time.now(); 891 if(LOG.isDebugEnabled()) { 892 LOG.debug("Current time is " + now); 893 LOG.debug("Next refresh is " + nextRefresh); 894 } 895 if (now < nextRefresh) { 896 Thread.sleep(nextRefresh - now); 897 } 898 Shell.execCommand(cmd, "-R"); 899 if(LOG.isDebugEnabled()) { 900 LOG.debug("renewed ticket"); 901 } 902 reloginFromTicketCache(); 903 tgt = getTGT(); 904 if (tgt == null) { 905 LOG.warn("No TGT after renewal. Aborting renew thread for " + 906 getUserName()); 907 return; 908 } 909 nextRefresh = Math.max(getRefreshTime(tgt), 910 now + MIN_TIME_BEFORE_RELOGIN); 911 } catch (InterruptedException ie) { 912 LOG.warn("Terminating renewal thread"); 913 return; 914 } catch (IOException ie) { 915 LOG.warn("Exception encountered while running the" + 916 " renewal command. Aborting renew thread. " + ie); 917 return; 918 } 919 } 920 } 921 }); 922 t.setDaemon(true); 923 t.setName("TGT Renewer for " + getUserName()); 924 t.start(); 925 } 926 } 927 } 928 /** 929 * Log a user in from a keytab file. Loads a user identity from a keytab 930 * file and logs them in. They become the currently logged-in user. 931 * @param user the principal name to load from the keytab 932 * @param path the path to the keytab file 933 * @throws IOException if the keytab file can't be read 934 */ 935 @InterfaceAudience.Public 936 @InterfaceStability.Evolving 937 public synchronized 938 static void loginUserFromKeytab(String user, 939 String path 940 ) throws IOException { 941 if (!isSecurityEnabled()) 942 return; 943 944 keytabFile = path; 945 keytabPrincipal = user; 946 Subject subject = new Subject(); 947 LoginContext login; 948 long start = 0; 949 try { 950 login = newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, 951 subject, new HadoopConfiguration()); 952 start = Time.now(); 953 login.login(); 954 metrics.loginSuccess.add(Time.now() - start); 955 loginUser = new UserGroupInformation(subject); 956 loginUser.setLogin(login); 957 loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS); 958 } catch (LoginException le) { 959 if (start > 0) { 960 metrics.loginFailure.add(Time.now() - start); 961 } 962 throw new IOException("Login failure for " + user + " from keytab " + 963 path+ ": " + le, le); 964 } 965 LOG.info("Login successful for user " + keytabPrincipal 966 + " using keytab file " + keytabFile); 967 } 968 969 /** 970 * Re-login a user from keytab if TGT is expired or is close to expiry. 971 * 972 * @throws IOException 973 */ 974 public synchronized void checkTGTAndReloginFromKeytab() throws IOException { 975 if (!isSecurityEnabled() 976 || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS 977 || !isKeytab) 978 return; 979 KerberosTicket tgt = getTGT(); 980 if (tgt != null && !shouldRenewImmediatelyForTests && 981 Time.now() < getRefreshTime(tgt)) { 982 return; 983 } 984 reloginFromKeytab(); 985 } 986 987 /** 988 * Re-Login a user in from a keytab file. Loads a user identity from a keytab 989 * file and logs them in. They become the currently logged-in user. This 990 * method assumes that {@link #loginUserFromKeytab(String, String)} had 991 * happened already. 992 * The Subject field of this UserGroupInformation object is updated to have 993 * the new credentials. 994 * @throws IOException on a failure 995 */ 996 @InterfaceAudience.Public 997 @InterfaceStability.Evolving 998 public synchronized void reloginFromKeytab() 999 throws IOException { 1000 if (!isSecurityEnabled() || 1001 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS || 1002 !isKeytab) 1003 return; 1004 1005 long now = Time.now(); 1006 if (!shouldRenewImmediatelyForTests && !hasSufficientTimeElapsed(now)) { 1007 return; 1008 } 1009 1010 KerberosTicket tgt = getTGT(); 1011 //Return if TGT is valid and is not going to expire soon. 1012 if (tgt != null && !shouldRenewImmediatelyForTests && 1013 now < getRefreshTime(tgt)) { 1014 return; 1015 } 1016 1017 LoginContext login = getLogin(); 1018 if (login == null || keytabFile == null) { 1019 throw new IOException("loginUserFromKeyTab must be done first"); 1020 } 1021 1022 long start = 0; 1023 // register most recent relogin attempt 1024 user.setLastLogin(now); 1025 try { 1026 if (LOG.isDebugEnabled()) { 1027 LOG.debug("Initiating logout for " + getUserName()); 1028 } 1029 synchronized (UserGroupInformation.class) { 1030 // clear up the kerberos state. But the tokens are not cleared! As per 1031 // the Java kerberos login module code, only the kerberos credentials 1032 // are cleared 1033 login.logout(); 1034 // login and also update the subject field of this instance to 1035 // have the new credentials (pass it to the LoginContext constructor) 1036 login = newLoginContext( 1037 HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject(), 1038 new HadoopConfiguration()); 1039 if (LOG.isDebugEnabled()) { 1040 LOG.debug("Initiating re-login for " + keytabPrincipal); 1041 } 1042 start = Time.now(); 1043 login.login(); 1044 metrics.loginSuccess.add(Time.now() - start); 1045 setLogin(login); 1046 } 1047 } catch (LoginException le) { 1048 if (start > 0) { 1049 metrics.loginFailure.add(Time.now() - start); 1050 } 1051 throw new IOException("Login failure for " + keytabPrincipal + 1052 " from keytab " + keytabFile, le); 1053 } 1054 } 1055 1056 /** 1057 * Re-Login a user in from the ticket cache. This 1058 * method assumes that login had happened already. 1059 * The Subject field of this UserGroupInformation object is updated to have 1060 * the new credentials. 1061 * @throws IOException on a failure 1062 */ 1063 @InterfaceAudience.Public 1064 @InterfaceStability.Evolving 1065 public synchronized void reloginFromTicketCache() 1066 throws IOException { 1067 if (!isSecurityEnabled() || 1068 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS || 1069 !isKrbTkt) 1070 return; 1071 LoginContext login = getLogin(); 1072 if (login == null) { 1073 throw new IOException("login must be done first"); 1074 } 1075 long now = Time.now(); 1076 if (!hasSufficientTimeElapsed(now)) { 1077 return; 1078 } 1079 // register most recent relogin attempt 1080 user.setLastLogin(now); 1081 try { 1082 if (LOG.isDebugEnabled()) { 1083 LOG.debug("Initiating logout for " + getUserName()); 1084 } 1085 //clear up the kerberos state. But the tokens are not cleared! As per 1086 //the Java kerberos login module code, only the kerberos credentials 1087 //are cleared 1088 login.logout(); 1089 //login and also update the subject field of this instance to 1090 //have the new credentials (pass it to the LoginContext constructor) 1091 login = 1092 newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, 1093 getSubject(), new HadoopConfiguration()); 1094 if (LOG.isDebugEnabled()) { 1095 LOG.debug("Initiating re-login for " + getUserName()); 1096 } 1097 login.login(); 1098 setLogin(login); 1099 } catch (LoginException le) { 1100 throw new IOException("Login failure for " + getUserName(), le); 1101 } 1102 } 1103 1104 1105 /** 1106 * Log a user in from a keytab file. Loads a user identity from a keytab 1107 * file and login them in. This new user does not affect the currently 1108 * logged-in user. 1109 * @param user the principal name to load from the keytab 1110 * @param path the path to the keytab file 1111 * @throws IOException if the keytab file can't be read 1112 */ 1113 public synchronized 1114 static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user, 1115 String path 1116 ) throws IOException { 1117 if (!isSecurityEnabled()) 1118 return UserGroupInformation.getCurrentUser(); 1119 String oldKeytabFile = null; 1120 String oldKeytabPrincipal = null; 1121 1122 long start = 0; 1123 try { 1124 oldKeytabFile = keytabFile; 1125 oldKeytabPrincipal = keytabPrincipal; 1126 keytabFile = path; 1127 keytabPrincipal = user; 1128 Subject subject = new Subject(); 1129 1130 LoginContext login = newLoginContext( 1131 HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject, 1132 new HadoopConfiguration()); 1133 1134 start = Time.now(); 1135 login.login(); 1136 metrics.loginSuccess.add(Time.now() - start); 1137 UserGroupInformation newLoginUser = new UserGroupInformation(subject); 1138 newLoginUser.setLogin(login); 1139 newLoginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS); 1140 1141 return newLoginUser; 1142 } catch (LoginException le) { 1143 if (start > 0) { 1144 metrics.loginFailure.add(Time.now() - start); 1145 } 1146 throw new IOException("Login failure for " + user + " from keytab " + 1147 path, le); 1148 } finally { 1149 if(oldKeytabFile != null) keytabFile = oldKeytabFile; 1150 if(oldKeytabPrincipal != null) keytabPrincipal = oldKeytabPrincipal; 1151 } 1152 } 1153 1154 private boolean hasSufficientTimeElapsed(long now) { 1155 if (now - user.getLastLogin() < MIN_TIME_BEFORE_RELOGIN ) { 1156 LOG.warn("Not attempting to re-login since the last re-login was " + 1157 "attempted less than " + (MIN_TIME_BEFORE_RELOGIN/1000) + " seconds"+ 1158 " before."); 1159 return false; 1160 } 1161 return true; 1162 } 1163 1164 /** 1165 * Did the login happen via keytab 1166 * @return true or false 1167 */ 1168 @InterfaceAudience.Public 1169 @InterfaceStability.Evolving 1170 public synchronized static boolean isLoginKeytabBased() throws IOException { 1171 return getLoginUser().isKeytab; 1172 } 1173 1174 /** 1175 * Did the login happen via ticket cache 1176 * @return true or false 1177 */ 1178 public static boolean isLoginTicketBased() throws IOException { 1179 return getLoginUser().isKrbTkt; 1180 } 1181 1182 /** 1183 * Create a user from a login name. It is intended to be used for remote 1184 * users in RPC, since it won't have any credentials. 1185 * @param user the full user principal name, must not be empty or null 1186 * @return the UserGroupInformation for the remote user. 1187 */ 1188 @InterfaceAudience.Public 1189 @InterfaceStability.Evolving 1190 public static UserGroupInformation createRemoteUser(String user) { 1191 return createRemoteUser(user, AuthMethod.SIMPLE); 1192 } 1193 1194 /** 1195 * Create a user from a login name. It is intended to be used for remote 1196 * users in RPC, since it won't have any credentials. 1197 * @param user the full user principal name, must not be empty or null 1198 * @return the UserGroupInformation for the remote user. 1199 */ 1200 @InterfaceAudience.Public 1201 @InterfaceStability.Evolving 1202 public static UserGroupInformation createRemoteUser(String user, AuthMethod authMethod) { 1203 if (user == null || user.isEmpty()) { 1204 throw new IllegalArgumentException("Null user"); 1205 } 1206 Subject subject = new Subject(); 1207 subject.getPrincipals().add(new User(user)); 1208 UserGroupInformation result = new UserGroupInformation(subject); 1209 result.setAuthenticationMethod(authMethod); 1210 return result; 1211 } 1212 1213 /** 1214 * existing types of authentications' methods 1215 */ 1216 @InterfaceAudience.Public 1217 @InterfaceStability.Evolving 1218 public static enum AuthenticationMethod { 1219 // currently we support only one auth per method, but eventually a 1220 // subtype is needed to differentiate, ex. if digest is token or ldap 1221 SIMPLE(AuthMethod.SIMPLE, 1222 HadoopConfiguration.SIMPLE_CONFIG_NAME), 1223 KERBEROS(AuthMethod.KERBEROS, 1224 HadoopConfiguration.USER_KERBEROS_CONFIG_NAME), 1225 TOKEN(AuthMethod.TOKEN), 1226 CERTIFICATE(null), 1227 KERBEROS_SSL(null), 1228 PROXY(null); 1229 1230 private final AuthMethod authMethod; 1231 private final String loginAppName; 1232 1233 private AuthenticationMethod(AuthMethod authMethod) { 1234 this(authMethod, null); 1235 } 1236 private AuthenticationMethod(AuthMethod authMethod, String loginAppName) { 1237 this.authMethod = authMethod; 1238 this.loginAppName = loginAppName; 1239 } 1240 1241 public AuthMethod getAuthMethod() { 1242 return authMethod; 1243 } 1244 1245 String getLoginAppName() { 1246 if (loginAppName == null) { 1247 throw new UnsupportedOperationException( 1248 this + " login authentication is not supported"); 1249 } 1250 return loginAppName; 1251 } 1252 1253 public static AuthenticationMethod valueOf(AuthMethod authMethod) { 1254 for (AuthenticationMethod value : values()) { 1255 if (value.getAuthMethod() == authMethod) { 1256 return value; 1257 } 1258 } 1259 throw new IllegalArgumentException( 1260 "no authentication method for " + authMethod); 1261 } 1262 }; 1263 1264 /** 1265 * Create a proxy user using username of the effective user and the ugi of the 1266 * real user. 1267 * @param user 1268 * @param realUser 1269 * @return proxyUser ugi 1270 */ 1271 @InterfaceAudience.Public 1272 @InterfaceStability.Evolving 1273 public static UserGroupInformation createProxyUser(String user, 1274 UserGroupInformation realUser) { 1275 if (user == null || user.isEmpty()) { 1276 throw new IllegalArgumentException("Null user"); 1277 } 1278 if (realUser == null) { 1279 throw new IllegalArgumentException("Null real user"); 1280 } 1281 Subject subject = new Subject(); 1282 Set<Principal> principals = subject.getPrincipals(); 1283 principals.add(new User(user)); 1284 principals.add(new RealUser(realUser)); 1285 UserGroupInformation result =new UserGroupInformation(subject); 1286 result.setAuthenticationMethod(AuthenticationMethod.PROXY); 1287 return result; 1288 } 1289 1290 /** 1291 * get RealUser (vs. EffectiveUser) 1292 * @return realUser running over proxy user 1293 */ 1294 @InterfaceAudience.Public 1295 @InterfaceStability.Evolving 1296 public UserGroupInformation getRealUser() { 1297 for (RealUser p: subject.getPrincipals(RealUser.class)) { 1298 return p.getRealUser(); 1299 } 1300 return null; 1301 } 1302 1303 1304 1305 /** 1306 * This class is used for storing the groups for testing. It stores a local 1307 * map that has the translation of usernames to groups. 1308 */ 1309 private static class TestingGroups extends Groups { 1310 private final Map<String, List<String>> userToGroupsMapping = 1311 new HashMap<String,List<String>>(); 1312 private Groups underlyingImplementation; 1313 1314 private TestingGroups(Groups underlyingImplementation) { 1315 super(new org.apache.hadoop.conf.Configuration()); 1316 this.underlyingImplementation = underlyingImplementation; 1317 } 1318 1319 @Override 1320 public List<String> getGroups(String user) throws IOException { 1321 List<String> result = userToGroupsMapping.get(user); 1322 1323 if (result == null) { 1324 result = underlyingImplementation.getGroups(user); 1325 } 1326 1327 return result; 1328 } 1329 1330 private void setUserGroups(String user, String[] groups) { 1331 userToGroupsMapping.put(user, Arrays.asList(groups)); 1332 } 1333 } 1334 1335 /** 1336 * Create a UGI for testing HDFS and MapReduce 1337 * @param user the full user principal name 1338 * @param userGroups the names of the groups that the user belongs to 1339 * @return a fake user for running unit tests 1340 */ 1341 @InterfaceAudience.Public 1342 @InterfaceStability.Evolving 1343 public static UserGroupInformation createUserForTesting(String user, 1344 String[] userGroups) { 1345 ensureInitialized(); 1346 UserGroupInformation ugi = createRemoteUser(user); 1347 // make sure that the testing object is setup 1348 if (!(groups instanceof TestingGroups)) { 1349 groups = new TestingGroups(groups); 1350 } 1351 // add the user groups 1352 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups); 1353 return ugi; 1354 } 1355 1356 1357 /** 1358 * Create a proxy user UGI for testing HDFS and MapReduce 1359 * 1360 * @param user 1361 * the full user principal name for effective user 1362 * @param realUser 1363 * UGI of the real user 1364 * @param userGroups 1365 * the names of the groups that the user belongs to 1366 * @return a fake user for running unit tests 1367 */ 1368 public static UserGroupInformation createProxyUserForTesting(String user, 1369 UserGroupInformation realUser, String[] userGroups) { 1370 ensureInitialized(); 1371 UserGroupInformation ugi = createProxyUser(user, realUser); 1372 // make sure that the testing object is setup 1373 if (!(groups instanceof TestingGroups)) { 1374 groups = new TestingGroups(groups); 1375 } 1376 // add the user groups 1377 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups); 1378 return ugi; 1379 } 1380 1381 /** 1382 * Get the user's login name. 1383 * @return the user's name up to the first '/' or '@'. 1384 */ 1385 public String getShortUserName() { 1386 for (User p: subject.getPrincipals(User.class)) { 1387 return p.getShortName(); 1388 } 1389 return null; 1390 } 1391 1392 public String getPrimaryGroupName() throws IOException { 1393 String[] groups = getGroupNames(); 1394 if (groups.length == 0) { 1395 throw new IOException("There is no primary group for UGI " + this); 1396 } 1397 return groups[0]; 1398 } 1399 1400 /** 1401 * Get the user's full principal name. 1402 * @return the user's full principal name. 1403 */ 1404 @InterfaceAudience.Public 1405 @InterfaceStability.Evolving 1406 public String getUserName() { 1407 return user.getName(); 1408 } 1409 1410 /** 1411 * Add a TokenIdentifier to this UGI. The TokenIdentifier has typically been 1412 * authenticated by the RPC layer as belonging to the user represented by this 1413 * UGI. 1414 * 1415 * @param tokenId 1416 * tokenIdentifier to be added 1417 * @return true on successful add of new tokenIdentifier 1418 */ 1419 public synchronized boolean addTokenIdentifier(TokenIdentifier tokenId) { 1420 return subject.getPublicCredentials().add(tokenId); 1421 } 1422 1423 /** 1424 * Get the set of TokenIdentifiers belonging to this UGI 1425 * 1426 * @return the set of TokenIdentifiers belonging to this UGI 1427 */ 1428 public synchronized Set<TokenIdentifier> getTokenIdentifiers() { 1429 return subject.getPublicCredentials(TokenIdentifier.class); 1430 } 1431 1432 /** 1433 * Add a token to this UGI 1434 * 1435 * @param token Token to be added 1436 * @return true on successful add of new token 1437 */ 1438 public boolean addToken(Token<? extends TokenIdentifier> token) { 1439 return (token != null) ? addToken(token.getService(), token) : false; 1440 } 1441 1442 /** 1443 * Add a named token to this UGI 1444 * 1445 * @param alias Name of the token 1446 * @param token Token to be added 1447 * @return true on successful add of new token 1448 */ 1449 public boolean addToken(Text alias, Token<? extends TokenIdentifier> token) { 1450 synchronized (subject) { 1451 getCredentialsInternal().addToken(alias, token); 1452 return true; 1453 } 1454 } 1455 1456 /** 1457 * Obtain the collection of tokens associated with this user. 1458 * 1459 * @return an unmodifiable collection of tokens associated with user 1460 */ 1461 public Collection<Token<? extends TokenIdentifier>> getTokens() { 1462 synchronized (subject) { 1463 return Collections.unmodifiableCollection( 1464 new ArrayList<Token<?>>(getCredentialsInternal().getAllTokens())); 1465 } 1466 } 1467 1468 /** 1469 * Obtain the tokens in credentials form associated with this user. 1470 * 1471 * @return Credentials of tokens associated with this user 1472 */ 1473 public Credentials getCredentials() { 1474 synchronized (subject) { 1475 Credentials creds = new Credentials(getCredentialsInternal()); 1476 Iterator<Token<?>> iter = creds.getAllTokens().iterator(); 1477 while (iter.hasNext()) { 1478 if (iter.next() instanceof Token.PrivateToken) { 1479 iter.remove(); 1480 } 1481 } 1482 return creds; 1483 } 1484 } 1485 1486 /** 1487 * Add the given Credentials to this user. 1488 * @param credentials of tokens and secrets 1489 */ 1490 public void addCredentials(Credentials credentials) { 1491 synchronized (subject) { 1492 getCredentialsInternal().addAll(credentials); 1493 } 1494 } 1495 1496 private synchronized Credentials getCredentialsInternal() { 1497 final Credentials credentials; 1498 final Set<Credentials> credentialsSet = 1499 subject.getPrivateCredentials(Credentials.class); 1500 if (!credentialsSet.isEmpty()){ 1501 credentials = credentialsSet.iterator().next(); 1502 } else { 1503 credentials = new Credentials(); 1504 subject.getPrivateCredentials().add(credentials); 1505 } 1506 return credentials; 1507 } 1508 1509 /** 1510 * Get the group names for this user. 1511 * @return the list of users with the primary group first. If the command 1512 * fails, it returns an empty list. 1513 */ 1514 public synchronized String[] getGroupNames() { 1515 ensureInitialized(); 1516 try { 1517 Set<String> result = new LinkedHashSet<String> 1518 (groups.getGroups(getShortUserName())); 1519 return result.toArray(new String[result.size()]); 1520 } catch (IOException ie) { 1521 LOG.warn("No groups available for user " + getShortUserName()); 1522 return new String[0]; 1523 } 1524 } 1525 1526 /** 1527 * Return the username. 1528 */ 1529 @Override 1530 public String toString() { 1531 StringBuilder sb = new StringBuilder(getUserName()); 1532 sb.append(" (auth:"+getAuthenticationMethod()+")"); 1533 if (getRealUser() != null) { 1534 sb.append(" via ").append(getRealUser().toString()); 1535 } 1536 return sb.toString(); 1537 } 1538 1539 /** 1540 * Sets the authentication method in the subject 1541 * 1542 * @param authMethod 1543 */ 1544 public synchronized 1545 void setAuthenticationMethod(AuthenticationMethod authMethod) { 1546 user.setAuthenticationMethod(authMethod); 1547 } 1548 1549 /** 1550 * Sets the authentication method in the subject 1551 * 1552 * @param authMethod 1553 */ 1554 public void setAuthenticationMethod(AuthMethod authMethod) { 1555 user.setAuthenticationMethod(AuthenticationMethod.valueOf(authMethod)); 1556 } 1557 1558 /** 1559 * Get the authentication method from the subject 1560 * 1561 * @return AuthenticationMethod in the subject, null if not present. 1562 */ 1563 public synchronized AuthenticationMethod getAuthenticationMethod() { 1564 return user.getAuthenticationMethod(); 1565 } 1566 1567 /** 1568 * Get the authentication method from the real user's subject. If there 1569 * is no real user, return the given user's authentication method. 1570 * 1571 * @return AuthenticationMethod in the subject, null if not present. 1572 */ 1573 public synchronized AuthenticationMethod getRealAuthenticationMethod() { 1574 UserGroupInformation ugi = getRealUser(); 1575 if (ugi == null) { 1576 ugi = this; 1577 } 1578 return ugi.getAuthenticationMethod(); 1579 } 1580 1581 /** 1582 * Returns the authentication method of a ugi. If the authentication method is 1583 * PROXY, returns the authentication method of the real user. 1584 * 1585 * @param ugi 1586 * @return AuthenticationMethod 1587 */ 1588 public static AuthenticationMethod getRealAuthenticationMethod( 1589 UserGroupInformation ugi) { 1590 AuthenticationMethod authMethod = ugi.getAuthenticationMethod(); 1591 if (authMethod == AuthenticationMethod.PROXY) { 1592 authMethod = ugi.getRealUser().getAuthenticationMethod(); 1593 } 1594 return authMethod; 1595 } 1596 1597 /** 1598 * Compare the subjects to see if they are equal to each other. 1599 */ 1600 @Override 1601 public boolean equals(Object o) { 1602 if (o == this) { 1603 return true; 1604 } else if (o == null || getClass() != o.getClass()) { 1605 return false; 1606 } else { 1607 return subject == ((UserGroupInformation) o).subject; 1608 } 1609 } 1610 1611 /** 1612 * Return the hash of the subject. 1613 */ 1614 @Override 1615 public int hashCode() { 1616 return System.identityHashCode(subject); 1617 } 1618 1619 /** 1620 * Get the underlying subject from this ugi. 1621 * @return the subject that represents this user. 1622 */ 1623 protected Subject getSubject() { 1624 return subject; 1625 } 1626 1627 /** 1628 * Run the given action as the user. 1629 * @param <T> the return type of the run method 1630 * @param action the method to execute 1631 * @return the value from the run method 1632 */ 1633 @InterfaceAudience.Public 1634 @InterfaceStability.Evolving 1635 public <T> T doAs(PrivilegedAction<T> action) { 1636 logPrivilegedAction(subject, action); 1637 return Subject.doAs(subject, action); 1638 } 1639 1640 /** 1641 * Run the given action as the user, potentially throwing an exception. 1642 * @param <T> the return type of the run method 1643 * @param action the method to execute 1644 * @return the value from the run method 1645 * @throws IOException if the action throws an IOException 1646 * @throws Error if the action throws an Error 1647 * @throws RuntimeException if the action throws a RuntimeException 1648 * @throws InterruptedException if the action throws an InterruptedException 1649 * @throws UndeclaredThrowableException if the action throws something else 1650 */ 1651 @InterfaceAudience.Public 1652 @InterfaceStability.Evolving 1653 public <T> T doAs(PrivilegedExceptionAction<T> action 1654 ) throws IOException, InterruptedException { 1655 try { 1656 logPrivilegedAction(subject, action); 1657 return Subject.doAs(subject, action); 1658 } catch (PrivilegedActionException pae) { 1659 Throwable cause = pae.getCause(); 1660 if (LOG.isDebugEnabled()) { 1661 LOG.debug("PrivilegedActionException as:" + this + " cause:" + cause); 1662 } 1663 if (cause instanceof IOException) { 1664 throw (IOException) cause; 1665 } else if (cause instanceof Error) { 1666 throw (Error) cause; 1667 } else if (cause instanceof RuntimeException) { 1668 throw (RuntimeException) cause; 1669 } else if (cause instanceof InterruptedException) { 1670 throw (InterruptedException) cause; 1671 } else { 1672 throw new UndeclaredThrowableException(cause); 1673 } 1674 } 1675 } 1676 1677 private void logPrivilegedAction(Subject subject, Object action) { 1678 if (LOG.isDebugEnabled()) { 1679 // would be nice if action included a descriptive toString() 1680 String where = new Throwable().getStackTrace()[2].toString(); 1681 LOG.debug("PrivilegedAction as:"+this+" from:"+where); 1682 } 1683 } 1684 1685 private void print() throws IOException { 1686 System.out.println("User: " + getUserName()); 1687 System.out.print("Group Ids: "); 1688 System.out.println(); 1689 String[] groups = getGroupNames(); 1690 System.out.print("Groups: "); 1691 for(int i=0; i < groups.length; i++) { 1692 System.out.print(groups[i] + " "); 1693 } 1694 System.out.println(); 1695 } 1696 1697 /** 1698 * A test method to print out the current user's UGI. 1699 * @param args if there are two arguments, read the user from the keytab 1700 * and print it out. 1701 * @throws Exception 1702 */ 1703 public static void main(String [] args) throws Exception { 1704 System.out.println("Getting UGI for current user"); 1705 UserGroupInformation ugi = getCurrentUser(); 1706 ugi.print(); 1707 System.out.println("UGI: " + ugi); 1708 System.out.println("Auth method " + ugi.user.getAuthenticationMethod()); 1709 System.out.println("Keytab " + ugi.isKeytab); 1710 System.out.println("============================================================"); 1711 1712 if (args.length == 2) { 1713 System.out.println("Getting UGI from keytab...."); 1714 loginUserFromKeytab(args[0], args[1]); 1715 getCurrentUser().print(); 1716 System.out.println("Keytab: " + ugi); 1717 System.out.println("Auth method " + loginUser.user.getAuthenticationMethod()); 1718 System.out.println("Keytab " + loginUser.isKeytab); 1719 } 1720 } 1721 1722}